December saw a truth-is-stranger-than-fiction dramedy acted out on the world stage. A November hack on Sony Pictures Entertainment threatened to engulf not just all of Sony Corp., but companies and businesses far downstream. That has implications for all sorts of businesses, including your clients’—and yours.
At midyear, North Korea announced its displeasure with the comedy “The Interview,” which involved a plot to assassinate Kim Jong Un. Then hackers hit Sony Pictures and stole sensitive information like employees’ Social Security numbers and health records, destroyed data and kept Sony offline for days.
The hack got a lot of airtime, but just a few months ago it was JPMorgan in the news after Russian hackers gained access to the company’s systems and lurked there for three months, pulling data on customers, accounts and more.
The sophistication of the JPMorgan hack was alarming, but didn’t grab headlines like Sony, even though it was among 13 financial institutions targeted by what authorities believe were the same hackers.
More companies carry cyber insurance than terrorism coverage, but sometimes the line blurs between the two. In addition, a true furor erupted at the end of 2014 when Congress allowed the Terrorism Risk Insurance Act to expire. The act has since been renewed.
According to Kevin Kalinich, global practice leader of network risk and cyber insurance at Aon Risk Solutions, losses from cyber terrorism “can be much more than offering credit monitoring or redoing the credit card of a consumer.” Furthermore, “the results of those exposures could be much more catastrophic than notifying consumers of retail [leaks],” said Kalinich. He cited a December cyber attack at a German factory where hackers took control of a blast furnace that then could not be shut down. “What stops a malicious attack from having that kind of effect on any kind of business?” Kalinich asked.
Okay, so your advisory firm isn’t a blast furnace. But you’re downstream from banks and other financial institutions that have been, and likely will continue to be, targets. In January, Morgan Stanley fired an employee who it said stole information on thousands of its wealth management clients. The employee, allegedly looking for a buyer for the stolen information, posted details on 900 of those clients online in December; it was discovered during a routine scan.